(2) which non-NHS staff will have access to the NHS Care Records database.
All users of the new care records spine database are issued with a smartcard. As at the end of January 2007 there were some 320,000 authorised users registered for access.
The early adopter implementation of the summary care record will be phased, initially being deployed in a small number of healthcare communities. Access to the system across these communities will be limited to healthcare professionals in accident and emergency departments, primary care out of hours services, walk-in centres, and minor injuries units that require access for the provision of care. Over time, our obligations to patients who receive care outside traditional national health service settings—for example in the voluntary sector, from mixed teams of health and social care professionals, and in the independent sector under contract to the NHS—will mean that by the time an electronic care record has been created for every NHS patient in England in 2010 we anticipate there will be in excess of 850,000 users.
In all cases, access to records will only be permitted for the staff of organisations involved in delivering care to NHS patients, working as part of a team that is providing a patient with care, and will be limited to only as much information as is needed for the purpose of the care or other job role being performed in relation to the patient. Where those providing care are not NHS staff, patients will be informed of this and any objections raised will be respected.
(2) how (a) the audit trail, (b) role-based access and (c) legitimate relationships operate when smartcards are shared between NHS personnel; and what security measures are in place to protect patient confidentiality when smartcard access is shared.
Access to the national health service care records service (NHS CRS) is determined by local NHS organisations using policies, processes and technology provided by NHS Connecting for Health. In general only staff who are working as part of a team that is providing a patient with care—that is, those having a legitimate relationship with the patient—will be able to see a patient's health record.
Because of the differences that exist between and within organisations in the duties and responsibilities of individual staff within their work teams, access is not uniquely determined by profession, specialism or grade. Users are vetted and sponsored by their local organisations for specific access appropriate to their job role and area of work. Stringent proof of identity is required along with the endorsement of the local sponsor, a senior member of staff, for the receipt of a smartcard, a secure token that, together with a passcode, confirms the identity of a user at the time of access.
NHS organisations must undertake to observe strict conditions to ensure the NHS CRS is used appropriately, and the user is required to sign up to a set of conditions for use of the smartcard. The obligations and conditions are complemented by the various existing codes of conduct and professional responsibilities by which all NHS staff are bound. These obligations and conditions are assessed on a regular basis with the organisation, and the user is subject to local and national checking through audit trails and alerts.
Actions that do not conform to these obligations and conditions, which includes the sharing of smartcards, are dealt with locally. Sharing of information between members of a team has happened routinely prior to the introduction of smartcards. However, though there is no evidence that smartcards have been shared beyond members working as part of a team that legitimately needs access to a patients record, we recognise that the sharing of smartcards can undermine the assurance that patient confidentiality will always be appropriately respected. Staff who breach patient confidentiality are subject to professional disciplinary measures. Offending doctors and nurses will be reported to their professional regulatory bodies and may face additional disciplinary action, including removal of their licence to practice.
Arrangements known as role-based access controls will limit what a member of staff can do within the system and consequently which parts of a record he or she can see. Access to record content will therefore be controlled by a member of staff’s relationship with the patient, and by what they need to see to do their jobs. Senior clinicians within an organisation will also be able to see patient records when assuring the quality of care provided by their staff, but other access will only be authorised when required or permitted by law.
On a typical working day, by the end of January 2007, the spine database, which forms the core of the NHS care records service (NHS CRS), was being accessed by around 50,000 authenticated unique users. And during the last full week of January 2007, the approximate volumes of messages processed in connection with the following systems and services were
personal demographic service—six and a half million
choose and book electronic booking service—over 1.4 million
electronic transmission of prescriptions—half a million.
Growth in all these volumes is rising dramatically with the increase in functionality across the NHS CRS and continuing roll-out of the various elements of the system, but already the spine is the world's biggest structured health care messaging system.
It is not possible to provide a realistic estimate of what these volumes will be by the time substantial integration of health and social care information systems in England has been achieved by 2010. These will depend significantly on the way in which health care management and delivery processes in the NHS adapt and develop to reflect the enormous potential of the systems and services being delivered under the national programme for information technology.